bug(cyclonedx): CycloneDX report includes empty license

[DmitriyLewen]

Description

If Trivy can't normilize license - Trivy includes empty LicenseChoice element into CycloneDX report:

trivy/pkg/sbom/cyclonedx/marshal.go

Lines 318 to 323 in 298a994

	normalizedLicenses, err := expression.Normalize(license, licensing.NormalizeLicense, expression.NormalizeForSPDX)
	if err != nil {
	// Not fail on the invalid license
	m.logger.Warn("Unable to marshal SPDX licenses", log.String("license", license))
	return cdx.LicenseChoice{}
	}

Discussed in #9321